qemudb/account.php

<?php
/********************************************/
/* Account Login / Logout Handler for AppDB */
/********************************************/
include("path.php");
require(BASE."include/incl.php");
require(BASE."include/mail.php");

// set http header to not cache
header("Pragma: no-cache");
header("Cache-control: no-cache");

$aClean = array(); //array of filtered user input

// check command and process
if(!empty($_POST['cmd']))
    $aClean['cmd'] = makeSafe( $_POST['cmd'] );
else
    $aClean['cmd'] = makeSafe( $_GET['cmd'] );

do_account($aClean['cmd']);


/**
 * process according to $sCmd from URL
 */
function do_account($sCmd = null)
{
    if (!$sCmd) return 0;
    switch($sCmd)
    {
        case "new":
            apidb_header("New Account");
            include(BASE."include/"."form_new.php");
            apidb_footer();
            exit;

        case "do_new":
            cmd_do_new();
            exit;

        case "login":
            apidb_header("Login");
            include(BASE."include/"."form_login.php");
            apidb_footer();
            exit;

        case "do_login":
            cmd_do_login();
            exit;

        case "send_passwd":
            cmd_send_passwd();
            exit;

        case "logout":
            /* if we are logged in, log us out */
            if($_SESSION['current'])
                $_SESSION['current']->logout();

            redirect(apidb_fullurl("index.php"));
            exit;
    }
    //not valid command, display error page
    util_show_error_page("Internal Error","This module was called with incorrect parameters");
    exit;
}

/**
 * retry
 */
function retry($sCmd, $sMsg)
{
    addmsg($sMsg, "red");
    do_account($sCmd);
}


/**
 * create new account
 */
function cmd_do_new()
{
    $aClean = array(); //array of filtered user input

    $aClean['ext_email'] = makeSafe($_POST['ext_email']);
    $aClean['ext_password'] = makeSafe($_POST['ext_password']);
    $aClean['ext_password2'] = makeSafe($_POST['ext_password2']);
    $aClean['CVSrelease'] = makeSafe($_POST['CVSrelease']);
    $aClean['ext_realname']= makeSafe($_POST['ext_realname']);

    if(!ereg("^.+@.+\\..+$", $aClean['ext_email']))
    {
        $aClean['ext_email'] = "";
        retry("new", "Invalid email address");
        return;
    }
    if(strlen($aClean['ext_password']) < 5)
    {
        retry("new", "Password must be at least 5 characters");
        return;
    }
    if($aClean['ext_password'] != $aClean['ext_password2'])
    {
        retry("new", "Passwords don't match");
        return;
    }
    if(empty($aClean['ext_realname']))
    {
        retry("new", "You don't have a Real name?");
        return;
    }
   
    $oUser = new User();

    $iResult = $oUser->create($aClean['ext_email'], $aClean['ext_password'], $aClean['ext_realname'], $aClean['CVSrelease'] );

    if($iResult == SUCCESS)
    {
        /* if we can log the user in, log them in automatically */
        $oUser->login($aClean['ext_email'], $aClean['ext_password']);

        addmsg("Account created! (".$aClean['ext_email'].")", "green");
        redirect(apidb_fullurl());
    }
    else if($iResult == USER_CREATE_EXISTS)
    {
        addmsg("An account with this e-mail exists already.", "red");
        retry("new", "Failed to create account");
    } else if($iResult = USER_CREATE_FAILED)
    {
        addmsg("Error while creating a new user.", "red");
        retry("new", "Failed to create account");
    } else
    {
        addmsg("Unknown failure while creating new user.  Please report this problem to appdb admins.", "red");
        retry("new", "Failed to create account");
    }
}


/**
 * email lost password
 */
function cmd_send_passwd()
{
    $aClean = array(); //array of filtered user input

    $aClean['ext_email'] = makeSafe($_POST['ext_email']);

    /* if the user didn't enter any email address we should */
    /* ask them to */
    if($aClean['ext_email'] == "")
    {
        addmsg("Please enter your email address in the 'E-mail' field and re-request a new password",
               "green");
        redirect(apidb_fullurl("account.php?cmd=login"));
    }

    $shNote = '(<b>Note</b>: accounts for <b>appdb</b>.winehq.org and <b>bugs</b>.winehq.org '
           .'are separated, so You might need to <b>create second</b> account for appdb.)';
		
    $iUserId = User::exists($aClean['ext_email']);
    $sPasswd = User::generate_passwd();
    $oUser = new User($iUserId);
    if ($iUserId)
    {
        if ($oUser->update_password($sPasswd))
        {
            $sSubject =  "Application DB Lost Password";
            $sMsg  = "We have received a request that you lost your password.\r\n";
            $sMsg .= "We will create a new password for you. You can then change\r\n";
            $sMsg .= "your password at the Preferences screen.\r\n";
            $sMsg .= "Your new password is: ".$sPasswd."\r\n";
            

            if (mail_appdb($oUser->sEmail, $sSubject ,$sMsg))
            {
                addmsg("Your new password has been emailed to you.", "green");
            }
            else
            {
                addmsg("Your password has changed, but we could not email it to you. Contact Support (".APPDB_OWNER_EMAIL.") !", "red");
            }
        }
        else
        {
            addmsg("Internal Error, we could not update your password.", "red");
        }
    }
    else
    {
        addmsg("Sorry, that user (".$aClean['ext_email'].") does not exist.<br><br>"
               .$shNote, "red");
    }
    
    redirect(apidb_fullurl("account.php?cmd=login"));
}

/**
 * on login handler
 */
function cmd_do_login()
{
    $aClean = array(); //array of filtered user input

    $aClean['ext_email'] = makeSafe($_POST['ext_email']);
    $aClean['ext_password'] = makeSafe($_POST['ext_password']);

    $oUser = new User();
    $iResult = $oUser->login($aClean['ext_email'], $aClean['ext_password']);

    if($iResult == SUCCESS)
    {
        addmsg("You are successfully logged in as '$oUser->sRealname'.", "green");
        redirect(apidb_fullurl("index.php"));    	    
    } else
    {
        retry("login","Login failed ".$shNote);
    }
}

?>
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`<?php`
			`/********************************************/`
			`/* Account Login / Logout Handler for AppDB */`
			`/********************************************/`
Initial revision 2004-03-15 16:22:00 +00:00			`include("path.php");`
- use mail_appdb() instead of mail() for better error handling and to avoid code duplication - use \r\n as line separator in mail (RFC compliant) 2005-01-30 00:57:34 +00:00			`require(BASE."include/incl.php");`
			`require(BASE."include/mail.php");`
Initial revision 2004-03-15 16:22:00 +00:00
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`// set http header to not cache`
Initial revision 2004-03-15 16:22:00 +00:00			`header("Pragma: no-cache");`
			`header("Cache-control: no-cache");`

Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$aClean = array(); //array of filtered user input`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`// check command and process`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if(!empty($_POST['cmd']))`
			`$aClean['cmd'] = makeSafe( $_POST['cmd'] );`
- access most globals by their $_XYZ['varname'] name - fix some code errors and typos (missing $ in front of variable names and so on) - fixed a lot of warnings that would have been thrown when error_reporting is set to show notices (if(isset($variable))) instead of if($variable) for example) 2004-12-10 01:07:45 +00:00			`else`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$aClean['cmd'] = makeSafe( $_GET['cmd'] );`

			`do_account($aClean['cmd']);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00
Initial revision 2004-03-15 16:22:00 +00:00
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`/**`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`* process according to $sCmd from URL`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`*/`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`function do_account($sCmd = null)`
Initial revision 2004-03-15 16:22:00 +00:00			`{`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`if (!$sCmd) return 0;`
			`switch($sCmd)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
			`case "new":`
			`apidb_header("New Account");`
			`include(BASE."include/"."form_new.php");`
			`apidb_footer();`
			`exit;`

			`case "do_new":`
			`cmd_do_new();`
			`exit;`

			`case "login":`
			`apidb_header("Login");`
			`include(BASE."include/"."form_login.php");`
			`apidb_footer();`
			`exit;`

			`case "do_login":`
			`cmd_do_login();`
			`exit;`

			`case "send_passwd":`
			`cmd_send_passwd();`
			`exit;`

			`case "logout":`
Move $_SESSION['current'] manipulation into user class. Add user::logout() to keep user::login() and logout() symmetrical 2006-07-06 03:37:49 +00:00			`/* if we are logged in, log us out */`
			`if($_SESSION['current'])`
			`$_SESSION['current']->logout();`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`redirect(apidb_fullurl("index.php"));`
			`exit;`
			`}`
			`//not valid command, display error page`
Rename errorpage() to util_show_error_page() and move util_show_error_page() into include/util.php 2006-06-29 16:13:35 +00:00			`util_show_error_page("Internal Error","This module was called with incorrect parameters");`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`exit;`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`/**`
			`* retry`
			`*/`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`function retry($sCmd, $sMsg)`
Initial revision 2004-03-15 16:22:00 +00:00			`{`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`addmsg($sMsg, "red");`
			`do_account($sCmd);`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00
			`/**`
			`* create new account`
			`*/`
Initial revision 2004-03-15 16:22:00 +00:00			`function cmd_do_new()`
			`{`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$aClean = array(); //array of filtered user input`

			`$aClean['ext_email'] = makeSafe($_POST['ext_email']);`
			`$aClean['ext_password'] = makeSafe($_POST['ext_password']);`
			`$aClean['ext_password2'] = makeSafe($_POST['ext_password2']);`
			`$aClean['CVSrelease'] = makeSafe($_POST['CVSrelease']);`
			`$aClean['ext_realname']= makeSafe($_POST['ext_realname']);`

			`if(!ereg("^.+@.+\\..+$", $aClean['ext_email']))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$aClean['ext_email'] = "";`
This patch make email address the user's username as requested in the TODO. query_users.php is modified even if we will drop it in the future to be sure it works everywhere. 2005-01-10 22:54:04 +00:00			`retry("new", "Invalid email address");`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`return;`
			`}`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if(strlen($aClean['ext_password']) < 5)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
			`retry("new", "Password must be at least 5 characters");`
			`return;`
			`}`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if($aClean['ext_password'] != $aClean['ext_password2'])`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
			`retry("new", "Passwords don't match");`
			`return;`
			`}`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`if(empty($aClean['ext_realname']))`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
			`retry("new", "You don't have a Real name?");`
			`return;`
			`}`
This patch make email address the user's username as requested in the TODO. query_users.php is modified even if we will drop it in the future to be sure it works everywhere. 2005-01-10 22:54:04 +00:00
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`$oUser = new User();`
Initial revision 2004-03-15 16:22:00 +00:00
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`$iResult = $oUser->create($aClean['ext_email'], $aClean['ext_password'], $aClean['ext_realname'], $aClean['CVSrelease'] );`
Initial revision 2004-03-15 16:22:00 +00:00
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`if($iResult == SUCCESS)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
Log new users in automatically if the user was successfully created 2005-08-14 18:56:35 +00:00			`/* if we can log the user in, log them in automatically */`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`$oUser->login($aClean['ext_email'], $aClean['ext_password']);`
Log new users in automatically if the user was successfully created 2005-08-14 18:56:35 +00:00
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`addmsg("Account created! (".$aClean['ext_email'].")", "green");`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`redirect(apidb_fullurl());`
			`}`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`else if($iResult == USER_CREATE_EXISTS)`
Clean up user class. Implement start of unit testing framework for appdb. Implement start of user class unit test. 2006-06-27 03:59:16 +00:00			`{`
			`addmsg("An account with this e-mail exists already.", "red");`
			`retry("new", "Failed to create account");`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`} else if($iResult = USER_CREATE_FAILED)`
Clean up user class. Implement start of unit testing framework for appdb. Implement start of user class unit test. 2006-06-27 03:59:16 +00:00			`{`
			`addmsg("Error while creating a new user.", "red");`
			`retry("new", "Failed to create account");`
			`} else`
Log new users in automatically if the user was successfully created 2005-08-14 18:56:35 +00:00			`{`
Clean up user class. Implement start of unit testing framework for appdb. Implement start of user class unit test. 2006-06-27 03:59:16 +00:00			`addmsg("Unknown failure while creating new user. Please report this problem to appdb admins.", "red");`
- OO version of user class - no more duplicated functions - improved performances (much less duplicated mysql queries) - less code and better error handling 2005-01-30 23:12:48 +00:00			`retry("new", "Failed to create account");`
Log new users in automatically if the user was successfully created 2005-08-14 18:56:35 +00:00			`}`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00
			`/**`
			`* email lost password`
			`*/`
Initial revision 2004-03-15 16:22:00 +00:00			`function cmd_send_passwd()`
			`{`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$aClean = array(); //array of filtered user input`

			`$aClean['ext_email'] = makeSafe($_POST['ext_email']);`

Fix requesting a new password. Missed a user::update() -> user::update_password() call. Add a more explicit message in the case where the user doesn't enter any email address. 2006-06-29 16:34:18 +00:00			`/* if the user didn't enter any email address we should */`
			`/* ask them to */`
			`if($aClean['ext_email'] == "")`
			`{`
			`addmsg("Please enter your email address in the 'E-mail' field and re-request a new password",`
			`"green");`
			`redirect(apidb_fullurl("account.php?cmd=login"));`
			`}`

Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`$shNote = '(<b>Note</b>: accounts for <b>appdb</b>.winehq.org and <b>bugs</b>.winehq.org '`
Clarify that appdb and bugzilla have separate accounts when a user is requesting their password from the appdb. 2006-02-05 20:44:32 +00:00			`.'are separated, so You might need to <b>create second</b> account for appdb.)';`

Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`$iUserId = User::exists($aClean['ext_email']);`
			`$sPasswd = User::generate_passwd();`
			`$oUser = new User($iUserId);`
			`if ($iUserId)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`if ($oUser->update_password($sPasswd))`
Fix some indenting in account.php. 2004-12-01 22:26:04 +00:00			`{`
- use mail_appdb() instead of mail() for better error handling and to avoid code duplication - use \r\n as line separator in mail (RFC compliant) 2005-01-30 00:57:34 +00:00			`$sSubject = "Application DB Lost Password";`
			`$sMsg = "We have received a request that you lost your password.\r\n";`
			`$sMsg .= "We will create a new password for you. You can then change\r\n";`
			`$sMsg .= "your password at the Preferences screen.\r\n";`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`$sMsg .= "Your new password is: ".$sPasswd."\r\n";`
Fix some indenting in account.php. 2004-12-01 22:26:04 +00:00
- use mail_appdb() instead of mail() for better error handling and to avoid code duplication - use \r\n as line separator in mail (RFC compliant) 2005-01-30 00:57:34 +00:00
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`if (mail_appdb($oUser->sEmail, $sSubject ,$sMsg))`
Fix some indenting in account.php. 2004-12-01 22:26:04 +00:00			`{`
			`addmsg("Your new password has been emailed to you.", "green");`
			`}`
			`else`
			`{`
- use mail_appdb() instead of mail() for better error handling and to avoid code duplication - use \r\n as line separator in mail (RFC compliant) 2005-01-30 00:57:34 +00:00			`addmsg("Your password has changed, but we could not email it to you. Contact Support (".APPDB_OWNER_EMAIL.") !", "red");`
Fix some indenting in account.php. 2004-12-01 22:26:04 +00:00			`}`
			`}`
			`else`
			`{`
			`addmsg("Internal Error, we could not update your password.", "red");`
			`}`
Initial revision 2004-03-15 16:22:00 +00:00			`}`
			`else`
			`{`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`addmsg("Sorry, that user (".$aClean['ext_email'].") does not exist.<br><br>"`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`.$shNote, "red");`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

			`redirect(apidb_fullurl("account.php?cmd=login"));`
			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`/**`
			`* on login handler`
			`*/`
Initial revision 2004-03-15 16:22:00 +00:00			`function cmd_do_login()`
			`{`
Filter all user input to reduce the security impact of manipulated data 2006-06-17 06:10:10 +00:00			`$aClean = array(); //array of filtered user input`

			`$aClean['ext_email'] = makeSafe($_POST['ext_email']);`
			`$aClean['ext_password'] = makeSafe($_POST['ext_password']);`

Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`$oUser = new User();`
			`$iResult = $oUser->login($aClean['ext_email'], $aClean['ext_password']);`
Initial revision 2004-03-15 16:22:00 +00:00
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`if($iResult == SUCCESS)`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`{`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`addmsg("You are successfully logged in as '$oUser->sRealname'.", "green");`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`redirect(apidb_fullurl("index.php"));`
			`} else`
			`{`
Cleanup variable naming in account.php 2006-07-06 03:45:17 +00:00			`retry("login","Login failed ".$shNote);`
- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`}`
Initial revision 2004-03-15 16:22:00 +00:00			`}`

- replaced tons of tabs with spaces - replaced <? with <?php for compatibility sake (see TODO and CODING_STANDARD to know more) - improved overall code lisibility 2004-12-12 03:51:51 +00:00			`?>`